Organizations seeking to better secure their Oracle databases should look more closely at their Oracle index infrastructure, which is open to attacks on patched and unpatched vulnerabilities with what one researcher called “trivial” exploits that could lead to unauthorized access.
By working with a little code and with permissions within Oracle indexes, it is possible to gain privilege escalation, said security researcher David Litchfield.
There is a relatively under-explored area of research that could pose big risks as a result, he said.
“Oracle has done a great job in terms of things like PL SQL injection flaws — they’ve almost been hunted to extinction. But they seem to be led by what the security research part of the industry is doing. That’s what they’re focused on,” said Litchfield, chief security architect for Accuvant Labs.
Some of the flaws Oracle already patched within the last few years, including a stack-based buffer overflow vulnerability patched in April 2012.
Another patched flaw Litchfield had a proof-of-concept attack on was a vulnerability in a RDBMS core component that allows an attacker to take advantage of granting over-generous permissions in the index to gain full DBA privileges on the database.